5 Best Practices for Manufacturing Cybersecurity

Is your customers’ data secure? Most leaders of CNC machining businesses likely would say “yes,” but answering in the affirmative is no longer enough for those seeking sensitive defense-industry work. The struggle to meet new government standards shows the extent to which basic cybersecurity best practices can differentiate not only these manufacturers, but virtually any shop trusted with sensitive data. 

This was the subject of a recent conversation with David Watts, solution consultant at Avatara, an information technology firm that is focusing on helping small- and mid-sized manufacturers meet new Department of Defense (DoD) requirements. More specifically, Avatara is helping DoD suppliers prepare for Cybersecurity Maturity Model Certification (CMMC). While current regulations dictate that DoD suppliers constantly track and update their own security policies and report on progress, the new CMMC requires answering to third-party auditors, and doing so prior to the awarding of a contract rather than after the fact. “A lot of manufacturers are going to be caught flat-footed,” Mr. Watts says.

National security implications aside, Mr. Watts says a crisis for some can present opportunity for others. Based on Avatara’s experience with customers so far, the most significant areas of weakness involve practices and procedures that are rudimentary by modern cybersecurity standards, even if they take time and effort to implement. As he puts it, “If you don’t do this stuff, you’re nowhere near ready for CMMC. But really, a lot of it could be viewed as basic best practices for anyone.” Examples include:  

Training Regularly

Although the specifics had not been published at the time of this writing, the CMMS builds directly on the current National Institute for Technology (NIST) 800-171 standard, which already specifies training for key employees. “You’ll have to show the auditors, ‘Here are the training sessions, here are which ones we passed and failed, and here’s what we’re doing about it if we failed,’” Watts says.

Even without auditing, staying up to date is essential because threats are ever-evolving, he says. For example, security technology might not be enough for shops that do not appreciate the power of social engineering tactics. Phishing, or the sending of fake emails to obtain passwords or other information, is a classic example. “Just having a firewall in place is not enough to prevent that,” he says, adding that formal training should include practicing fake attacks. “It’ll tell you ‘Bob clicked this link seven times,’ and then you can tailor your training to Bob.’”

Requiring Strong Passwords

Password policies — that is, the rules governing what makes a good password — could explain part of the reason for the prevalence of tactics like phishing. Mr. Watts says that following best practices for passwords is a requirement for CMMC Level 3, the minimum level of certification for most CNC machining businesses seeking DoD contracts. Examples include requirements for certain numbers of characters and symbols; requirements that passwords change regularly; limits on using identical passwords; and limits on log-in attempts.

Requiring Multi-Factor Authentication

Multi-factor authentication refers to the use of multiple means — that is, more than just a password — to verify that users are who they say they are. For instance, a bank might ask for both a log-in ID and the answers to personal security questions. This is good practice in general, but necessary for CMMC, Mr. Watts says.

Monitoring for Threats

As is the case with current NIST standards, CMMC requires monitoring incoming and outgoing data to detect attacks and potential indicators of attacks, Mr. Watts says. Examples include malicious code, communications with external systems, unusual traffic patterns and so forth. Likewise, records of data crossing a network are necessary to identify attackers, weak points and more in the event of a security breach.   

Considering Security Beyond the Virtual

One of the simplest ways to steal sensitive data is to simply plug a USB stick into a computer or server. For its part, Avatara maintains all customers’ data in a private data center environment. Servers lack a port for any removable media, and are locked behind biometric access points and defended by armed guards. Manufacturers that opt to maintain their own information technology infrastructure may not go to these lengths, but precautions might be warranted even if the risk is more to a shop’s own financials rather than national security.